In two previous posts, we discussed tips on connecting private and public clouds; the first as an immediate extension of a company’s data center, the second as a way to offload hardware costs, maintenance and any other issues to someone else, share the burden and lower the overall costs.
As it turns out, several companies are choosing a mixed model, which is being called the hybrid cloud.
The idea is, some companies don’t trust public cloud security enough to entrust their most sensitive data to it, but they still want to use it for some data or some applications; and at the same time they want to use the concept of the cloud for the sensitive data, so they build a private one, where they feel they are more in control of processes, procedures, security and anything related to it.
There are several points to consider.
As a security professional, my thoughts go immediately to the question – who says that the public cloud is not as (or more) secure than the private cloud? Assuming this would mean assuming that the company has security experts on staff that are absolutely certain of their ability to keep the company safe. Many companies can’t afford staff that’s trained in security matters; and most of the times security ends up in the hands of network engineers, whose training doesn’t allow them to properly address the security posture of a company.
As a managed services provider, we see this repeatedly: Networks that have all the tools necessary for protection, but are not protected because they are not configured properly; because the procedures are not in place; because the firewall is configured to the convenience of the network engineer and not to the dictates of security best practices.
So stating that sensitive data is better protected in the private cloud than in the public one is not necessarily a correct assumption.
This of course, assumes that the public cloud is protected. There are many different offerings for public cloud in the market today.
Some companies offer a protected cloud. They have a team of security trained experts, who establish processes and procedures, and are in charge of ensuring the security of the entire cloud offering.
Some public cloud companies do not offer any security at all. They simply sell IaaS. You just purchase the use of hardware from them. The advantage of this offering is price – usually you will be sharing the load with several other companies and pay only what you consume. There is a company (6Fusion) that has actually invented a method for calculating how much of the hardware resources a customer is consuming, and charges based on a concept similar to the power consumption at home – the KWh; in fact, they call it WAC. 6Fusion doesn’t offer anything but hardware; their customers are MSPs, who in turn build solutions for their own customers. The security of each solution is entirely left to the MSP.
There may be instances in such a case where the customer could be better off keeping sensitive data in house (assuming in house security is at least decent); or maybe they could both (MSP and customer) seek help from a company such as Network Box, which provides virtual managed security that is perfect for this type of offerings. In fact, Network Box has been a valued partner of 6Fusion for almost 2 years now, and we can count several of their customers as our own.